MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1105 Ingress Tool Transfer
The sample exhibits high-confidence heuristics indicating the use of API hashing for resolving functions and suspicious invocation of cmd.exe. Crucially, it references the URLDownloadToFile API, suggesting an attempt to download additional content. The embedded URL points to a suspicious domain, likely serving as the source for a second-stage payload. The document body is heavily obfuscated and appears to contain shellcode or script fragments.
Heuristics 8
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://bmwftp.blogdns.net:8080/nnn/#
Open this report in the interactive analyzer, or submit your own file for analysis.